DEF CON 26 Hacking Conference - DEF CON Media Server CON 26/DEF CON 26 presentations/DEF… ·...

49
I'LL SEE YOUR MISSLE AND RAISE YOU A MIRV: DEFCON 26

Transcript of DEF CON 26 Hacking Conference - DEF CON Media Server CON 26/DEF CON 26 presentations/DEF… ·...

I'LL SEE YOUR MISSLE AND RAISE YOU A MIRV:

DEFCON 26

01

02

04

03

AGENDA

PRESENTERS

STAGERS, CCDC, & HISTORY

Trampoline

Malware(s)

Exploit Payload

Dropper

Empire PupyMeterpreter

Professional offensive engagements (CCDC)

Context aware implant solutions

As a form of “packing”3rd party crimeware.

Now we're ready to release a re-written, shiny

new V1.0 version to you today!

Genesis Scripting Engine development

started in late 2017 to prepare for the 2018

CCDC season. We ended up using the BETA

version at WRCCDC and NCCDC in 2018.

Moved our tool chain to a golang, known as

Gooby. This included a golang dropper

experiment to abstract dropping from the

other cluster bomb tools, known as Genesis.

PRESENTING THE GENESIS SCRIPTING ENGINE

GSCRIPT

STANDARD LIBRARY

COMMAND LINE TOOL (CLI)

DEBUGGER

ENGINE

COMPILER

OBFUSCATOR

BASIC EXAMPLE:EMBED A PAYLOAD AND

WRITE TO A FILE

1) Write a gscript

01:00 – 02:00 PM

Investment generally results in acquiring an asset, also called an investment. If the asset is available at a price worth investing,

normally expected either to generate income, or to appreciate in value

OUR PORTFOLIO

10:00 – 11:00 AM

Investment generally results in acquiring an asset, also called an investment. If the asset is available at a price worth investing,

normally expected either to generate income, or to appreciate in value

WELCOME MESSAGE

11:00 – 12:00 PM

Investment generally results in acquiring an asset, also called an investment. If the asset is available at a price worth investing,

normally expected either to generate income, or to appreciate in value

ABOUT US

12:00 – 01:00 PM

Investment generally results in acquiring an asset, also called an investment. If the asset is available at a price worth investing,

normally expected either to generate income, or to appreciate in value

MEET THE TEAM

1) Write a gscript

01:00 – 02:00 PM

Investment generally results in acquiring an asset, also called an investment. If the asset is available at a price worth investing,

normally expected either to generate income, or to appreciate in value

OUR PORTFOLIO

10:00 – 11:00 AM

Investment generally results in acquiring an asset, also called an investment. If the asset is available at a price worth investing,

normally expected either to generate income, or to appreciate in value

WELCOME MESSAGE

11:00 – 12:00 PM

Investment generally results in acquiring an asset, also called an investment. If the asset is available at a price worth investing,

normally expected either to generate income, or to appreciate in value

ABOUT US

12:00 – 01:00 PM

Investment generally results in acquiring an asset, also called an investment. If the asset is available at a price worth investing,

normally expected either to generate income, or to appreciate in value

MEET THE TEAM

1) Write a gscript

2) Write another

01:00 – 02:00 PM

Investment generally results in acquiring an asset, also called an investment. If the asset is available at a price worth investing,

normally expected either to generate income, or to appreciate in value

OUR PORTFOLIO

10:00 – 11:00 AM

Investment generally results in acquiring an asset, also called an investment. If the asset is available at a price worth investing,

normally expected either to generate income, or to appreciate in value

WELCOME MESSAGE

11:00 – 12:00 PM

Investment generally results in acquiring an asset, also called an investment. If the asset is available at a price worth investing,

normally expected either to generate income, or to appreciate in value

ABOUT US

12:00 – 01:00 PM

Investment generally results in acquiring an asset, also called an investment. If the asset is available at a price worth investing,

normally expected either to generate income, or to appreciate in value

MEET THE TEAM

1) Write a gscript

2) Write another

3) Compile using CLI

gscript compile --output-file /tmp/opt/ex1/dropper.bin *.gs

1) Write a gscript

2) Write another

3) Compile using CLI

4) That's it!!! Run it!!!

1) Write a gscript

2) Write another

3) Compile using CLI

4) That's it!!! Run it!!!

WAIT, WUT? PLEASE EXPLAIN.

01

02

main()03

04

GSCRIPT

main()

Finally, the script's "entry point" is called. In

GSCRIPT, this is the Deploy() function defined in

your script.

Call Entry Point In VM

The first thing the engine does is create the V8 virtual

machine and prepare it for injection.

Initialize JS Virtual Machine

Native function interfaces are injected into mock JS

objects. Asset table mapped, and script loaded.

Inject Bundle (Script/Assets/Libs)

GSCRIPT COMPILER INTERNALS

The GSCRIPT compiler takes care of the rest. #WINNING

You can now use most exported, non-receiver functions. We've implemented a

return array for any multiple assignment Go functions so you never miss data or

errors.

The GSCRIPT compiler is smart enough to resolve your imports and ensure you're

calling functions for that package correctly.

//go_import

"This seems safe."

DEBUGGING

gscript shell

--macro/-m

gscript shell

--macro/-m

gscript shell

TypeOf(obj)

--macro/-m

gscript shell

--macro/-m

gscript shell

TypeOf(obj)SymbolTable()

CURRENT LIMITATIONS

The Javascript VM only supports ES5 at this time.

ES5 Support Only

Because of embedding all it's dependencies and

payloads, the binaries tend to be on the larger side.

(At least 2MB)

Large Binaries

There are several declaration types in Golang which

are not linkable yet. This includes const and var, as

well as any exported type that isn't returnable by a

function.

Go Types Lack Flexibility

There is no async() primitives in Javascript currently. If

you want to run async code, build a Go package that

manages the concurrency.

No Concurrency Primitives in JS

Golang's RE2 has some corner case incompatibilities

with Javascript regular expressions, preventing lots of

JS code from being runnable out of the box.

Limited Regex Support

Currently, GSCRIPT can only target a subset of Golang

target OSes and architectures.

No FreeBSD Support

GSCRIPTSTANDARD LIBRARY

crypto

encoding

exec

file

net

Name Current Uses

os

rand

requests

time

Various hashing algorithms & RSA key generation

Encoding & decoding base64

Blocking and non-blocking command execution

File operations - write, read, append, copy, replace

Functions to help determine if the machine is listening on tcp/udp ports

Genesis process control (terminate self, etc.)

Basic rand generators - int, strings, bools, etc.

Basic HTTP client for GET & POST of multiple content types

Retrieving system time in unix epoch

REAL WORLD APPLICATIONS

Lower Overhead

Infinite Expansion

Consistency

Self Documenting

Low Barrier to Entry

Cross-platformFeatures

1

2

3

4

GSCRIPT

TBDTBD

TBDTBD

DEMO TIME

#1: DAN'S EXAMPLE ORDINANCE

#1: PRESENTER'S PAYLOAD D'JOUR

#3: THE PEOPLE'S BINARY

https://github.com/gen0cide/gscript

GET CONNECTED

TWITTER: @1njectionGITHUB: github.com/ahhhBLOG: lockboxx.blogspot.com

TWITTER: @vyrusGITHUB: github.com/vyrus001EMAIL: [email protected]

TWITTER: @alexlevinsonGITHUB: github.com/gen0cideEMAIL: [email protected]